background
Wechat authentication needs to determine that the original domain name is a verifiable domain name, and this judgment is made by referring to the referer of the jump address. Normally, the browser will take the address of the current page as its referer, and we can also obtain it by modifying document.referer.
However, in the later versions of Chrome and in some CASES of UA, the policy has changed so that the referer domain is no longer added to the address jump. In this case, the authentication fails.
In some service scenarios, we may have made the judgment that if the code is invalid, a 302 jump will occur and the authentication will be repeated. In this case, the problem is more serious.
So how should the problem be solved?
The understanding of the referer
- Document. Referer: link
- Referer: link
One sentence description: after the jump address, append the field that can be used to determine the origin of the page, which can be used not only for the jump but also for resource class requests.
Chrome advanced version (85) brings problems
The default referer policy will function with no-referrer-when-downgrade, that is, referer will be allowed to take request parameters on the source page address. Chrome85 changes the policy to strict-origin-when-cross-origin. That is, if the request address is not the same as the requested page, only the requested domain name is carried, and the request parameter of the source page address is not carried.
So why did Chrome change to this strategy? Strengthen the privacy
How to actively enable this policy (early version)
If we also have this expectation, then how can we actively turn it on?
Front end Settings:
<meta name="referrer" content="strict-origin-when-cross-origin" />
Copy the code
Server request:
Referer Policy: strict-origin-when-cross-origin
How do I turn off this policy
Front end Settings:
<meta name="referrer" content="no-referrer-when-downgrade"" /> <! <img SRC ="..." referrerpolicy="no-referrer-when-downgrade" />Copy the code
Backend Settings:
The server will set the Referer Policy to no-referrer-when- downgraded
Back to the question
We need to adjust the scheme to close.
However, if it is directly set to off, there will be compatibility problems in the earlier version, so the final technical solution is as follows:
1 No processing is performed for earlier versions
2 Chrome higher version, or specify ua to add a specified meta tag
Specific code as follows: for reference only:
<! For different versions of the kernel, Set referrer property --> <script script type="text/javascript"> var chromeVersionMatch = window.navigator.userAgent.match(/Chrome/(\d*)/); var version = chromeVersionMatch && chromeVersionMatch[1]; if (version > 84) { var meta = document.createElement('meta'); meta.content='no-referrer-when-downgrade'; meta.name = 'referrer'; document.getElementsByTagName('head')[0].appendChild(meta); } </script>Copy the code
More and more
For the time being, there is no corresponding syntax for the policy to be directly determined. Therefore, you are advised to track the data of the corresponding problem and add the ua list and version that need to be compatible. If you have a better plan, please contact me for updates.